Running app exposes names and locations of British spies and soldiers

  • Running app exposes names and locations of British spies and soldiers

Running app exposes names and locations of British spies and soldiers

To be clear, the reporters didn't have to breach any networks: they simply accessed the company's Flow app, which is used by owners of Polar fitness trackers to log their workouts - including the routes they take during their runs and jogs. The number of fitness trackers on the market, from Strava and Runkeeper to many others, suggests that the answer is no.

The Explore component of Polar Flow was meant to show anonymous data on its users and their activities around the globe, displaying it in a similar fashion to the activity map that was responsible for Strava's woes earlier in the year. In a statement, the company said that it has "recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations".

Using the map, the publications also found 200 sensitive locations: 125 military bases, 48 nuclear weapon storage facilities, 18 intelligence agencies, a smattering of drone bases, embassies, nuclear power plants and royal residencies and a police academy.

Finding Western military service personnel was easy by cross-referencing names found on the Polar website with social network profiles such as those found on LinkedIn.

By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well.

Polar's fitness app had security flaws exposing the location data of its users, according to a joint investigation from De Correspondent and Bellingcat.

"We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing Global Positioning System files of sensitive locations", the statement reads. "As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map", Bellingcat researcher Foeke Postma explained.

Users of the Flow app were located at several military bases, including Erbil in northern Iraq, Guantanamo Bay in Cuba and Gao in Mali.

Polar shows all the user sessions, starting in 2014 all over the world on one map.

The researchers who compiled the data drew up a list of roughly 6,500 users using the app to publicly store data, including soldiers in sensitive areas and NSA workers. What makes Polar worse is that anyone with basic hacking skills will be able to find specific users, analyze their walks and runs, and determine where they live and where they walk.

The shutdown should be welcomed, but the company has squarely pointed the finger at its users, noting that "the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case".